Skip to content

[fix][sec] Upgrade commons-configuration2 to 2.15.0 to address CVE-2026-45205#25844

Merged
lhotari merged 1 commit into
apache:masterfrom
lhotari:lh-upgrade-commons-configuration2-2.15.0
May 21, 2026
Merged

[fix][sec] Upgrade commons-configuration2 to 2.15.0 to address CVE-2026-45205#25844
lhotari merged 1 commit into
apache:masterfrom
lhotari:lh-upgrade-commons-configuration2-2.15.0

Conversation

@lhotari
Copy link
Copy Markdown
Member

@lhotari lhotari commented May 20, 2026

Motivation

Upgrade commons-configuration2 from 2.12.0 to 2.15.0 to address CVE-2026-45205, a medium-severity vulnerability affecting versions prior to 2.15.0.

The upgrade is a routine dependency bump within the 2.x line and is API-compatible.

Modifications

  • Bump commons-configuration2 from 2.12.0 to 2.15.0 in gradle/libs.versions.toml.
  • Update the bundled artifact name in distribution/server/src/assemble/LICENSE.bin.txt.

Verifying this change

  • Make sure that the change passes the CI checks.

This change is a trivial rework / code cleanup without any test coverage.

Does this pull request potentially affect one of the following parts:

  • Dependencies (add or upgrade a dependency)
  • The public API
  • The schema
  • The default values of configurations
  • The threading model
  • The binary protocol
  • The REST endpoints
  • The admin CLI options
  • The metrics
  • Anything that affects deployment

Upgrades the commons-configuration2 dependency. API-compatible patch within the 2.x line.

Documentation

  • doc-required
  • doc-not-needed
  • doc
  • doc-complete

@lhotari lhotari merged commit 7220158 into apache:master May 21, 2026
79 of 83 checks passed
@lhotari lhotari mentioned this pull request May 21, 2026
Closed
@lhotari lhotari added this to the 5.0.0-M1 milestone May 31, 2026
lhotari added a commit that referenced this pull request May 31, 2026
@lhotari
[fix][sec] Upgrade commons-configuration2 to 2.15.0 to address CVE-20…
758d6e9 
…26-45205 (#25844)

(cherry picked from commit 7220158)
lhotari added a commit that referenced this pull request May 31, 2026
@lhotari
[fix][sec] Upgrade commons-configuration2 to 2.15.0 to address CVE-20…
be1ec2c 
…26-45205 (#25844)

(cherry picked from commit 7220158)
@lhotari lhotari mentioned this pull request May 31, 2026
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nodece nodece nodece approved these changes

@dao-jun dao-jun dao-jun approved these changes

@merlimat merlimat Awaiting requested review from merlimat

@Technoboy- Technoboy- Awaiting requested review from Technoboy-

Assignees

No one assigned

Labels

cherry-picked/branch-4.0 cherry-picked/branch-4.2 release/4.0.11 release/4.2.2

Projects

None yet

Milestone

5.0.0-M1

Development

Successfully merging this pull request may close these issues.

3 participants

@lhotari @nodece @dao-jun